Compliance Matters

— June 15, 2007

The best protection of a company's reputation is the security of its clients' data.

It didn't take long for police in Oakbrook Terrace, Ill., to figure out where the 911 call was coming from. Within minutes, rescue workers had arrived at the Grant Thornton office building on South Meyers Road to help an employee who had passed out.

"They knew where to go. They knew the address and knew that [the receptionist who called] was on the third floor," says Miguel Jorge, the telecommunications team leader for the Chicago-based accounting, tax and business advisory firm. The exact location of the Grant Thornton employee, however, didn't come from the receptionist but from the voice-over IP (VoIP) telephone system.

Illinois is one of 14 states complying with a 1999 federal mandate that requires businesses to provide enhanced 911 (E911) services for the protection of employees and visitors. The law, called the Wireless Communications and Public Safety Act, designated 911 as the universal national emergency telephone number within the United States. It also required carriers to provide location information for mobile phone users dialing 911. With the advent of VoIP and other wireless phone services, in 2005 the Federal Communications Commission required VoIP carriers to provide E911 service. The agency called it an "essential service" and said the ruling would remedy a serious life or death problem.

E911 is just one of the numerous corporate compliance regulations designed to protect corporate employees, corporate customers and the latter's private information. Often industry-specific, most issue fines for non-compliance.

"There are some common threads in each of the different compliance regulations," says John Livingston, CEO of Absolute Software, a Vancouver-based developer of tracking software for mobile computers. "Securing your devices is one of the common threads. Securing information on those devices is another. You also need to understand where all your sensitive data is."

Research firm Gartner also emphasized this idea in a 2006 research report, Stolen FTC Laptops Show Extent of Lax Security. "Organizations need to take a strategic, layered approach to data security, rather than focusing solely on one or two exposure points," it advised.

Protecting Relationships
Pat Lefemine, chief information security officer of the Philadelpia-based financial services company Lincoln Financial, knew that the company stored sensitive data on company laptops. He also knew - thanks to the efforts of his firm's legal department - that it had to comply with California Senate Bill 1386, a 2002 law requiring businesses to publicly reveal security breaches that expose unencrypted confidential information about consumers. What he didn't know was how best to protect the data on the company's laptops.

"We looked at what the risk would be of doing nothing, and our only [viable] solution at the end of the day was to put some sort of encryption on the laptop," says Lefemine. "The whole computer had to be encrypted, not just one folder."

To encrypt its laptops, Lincoln Financial turned to GuardianEdge, a San Francisco developer of data protection software. GuardianEdge software uses a pre-boot password or smartcard authentication to ensure that only authorized users gain access to computers containing sensitive data.

Lincoln Financial deployed GuardianEdge's hard drive encryption solution in early 2004, and despite its initial costs, Lefemine believes the deployment has saved the company millions of dollars and has helped it avoid the public embarrassment of revealing a data security breach - the so-called "CNN moment."

"We did a very quick and dirty quantitative analysis on what we potentially saved by having this program in place, and the numbers are in the seven figures, if not eight," Lefemine notes. "The savings to Lincoln Financial has been tremendous."

Companies with branch offices in several states may be required to comply with multiple laws. For example, Lincoln Financial is required to comply with both California Senate Bill 1386 and the Sarbanes-Oxley Act (SOX). Passed in 2002, SOX is a complex set of new financial accounting rules that applies to all U.S. companies in all industries. It was created in response to the corporate and accounting scandals at Enron and WorldCom.

"The number of laws and compliance regulations are going up, they're not going down," says Ram Krishnan, senior VP of products and marketing for GuardianEdge. "But it's not a black-and-white process. Companies are coming into compliance gradually."

The California Department of Health Services (CDHS) also uses Encryption Plus Hard Disk software from GuardianEdge to comply with the Health Insurance Portability and Accountability Act (HIPAA). Perhaps the most well-known of compliance laws, HIPAA was passed in 1996 to protect the confidentiality of patient medical records and health information. The law applies to health insurers, hospitals, pharmacies, laboratories, HMOs, dentists and assisted living facilities.

Though it is designed to ensure patient confidentiality, HIPAA puts hospitals in a "catch-22," says Absolute Software's Livingston. Some of the computers that store patient records are located in areas frequented by visitors and members of the public, making them vulnerable to loss and theft. Absolute Software offers healthcare providers a resolution to this dilemma - a tracking mechanism called Computrace, which works similarly to LoJack; an Internet-based tracking location mechanism on the device enables Absolute Software to locate it, should it be lost or stolen.

Another wide-reaching mandate is the Graham-Leech Bliley Act (GLBA), which requires the protection of customer records in the financial sector.

When U.K.-based law firm Allen & Overy worried that information was leaving its offices on USB drives, it turned to Pointsec to help enforce a security policy across its 25 offices worldwide. With Pointsec Device Protector it was able to control all plug-and-play storage devices; encrypt stored information; force virus scans and filtering of inbound executable software; and securely support remote workers in far-flung locations, knowing that client information was always secure.

"Having fully implemented Pointsec Device Protector across the firm, we now know what data is being removed, due to the extensive auditing capability," says Mark Heathcote, the firm's IT architect and design manager. "But most importantly we're also sure that the data is secure at all times."

topics

Must See

FEATURED REPORT

BYOD is nearly a standard—with 90% of organizations predicted to support some aspect of BYO by 2017, but have most organizations really taken all the steps needed to protect and manage the environment?